AWS is architected to be one of the most flexible and secure cloud computing environments available today. It provides an extremely scalable, highly reliable platform that enables customers to deploy applications and data quickly and securely. When using AWS, not only are infrastructure headaches removed, but so are many of the security issues that come with them.
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
Learn how AWS IAM enables you to control who can do what in your AWS environment. We discuss how IAM provides flexible access control that helps you maintain security while adapting to your evolving business needs. Wel review how to integrate AWS IAM with your existing identity directories via identity federation. We outline some of the unique challenges that make providing IAM for the cloud a little different. And throughout the presentation, we highlight recent features that make it even easier to manage the security of your workloads on the cloud.
In this webinar, you'll learn about the foundational security blocks and how to start using them effectively to create robust and secure architectures. Discover how Identity and Access management is done and how it integrates with other AWS services. In addition, learn how to improve governance by using AWS Security Hub, AWS Config and CloudTrail to gain unprecedented visibility of activity in the account. Subsequently use AWS Config rules to rectify configuration issues quickly and effectively.
Designing security & governance via AWS Control Tower & Organizations - SEC30...Amazon Web Services
Whether it is per business unit or per application, many AWS customers use multiple accounts to meet their infrastructure isolation, separation of duties, and billing requirements. In this session, we cover considerations, limitations, and security patterns when building a multi-account strategy. We explore topics such as thought pattern, identity federation, cross-account roles, consolidated logging, and account governance. We conclude by presenting an enterprise-ready landing-zone framework and providing the background needed to implement an AWS Landing Zone using AWS Control Tower and AWS Organizations.
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
by Fritz Kunstler, Sr. Security Consultant, AWS
AWS Identity and Access Management (IAM) is first in the Security Perspective of the AWS Cloud Adoption Framework CAF because in the cloud, first you grant access and only then can you provision infrastructure (the opposite approach of on-premises). In this session, you will learn how to define fine-grained access to AWS resources via users, roles, and groups; design privileged user and multifactor authentication mechanisms; and operate IAM at scale.
This session is designed to introduce you to fundamental cloud computing and AWS security concepts that will help you prepare for the Security Week sessions, demos, and labs. We will ensure you have an AWS account and understand EC2, prepare you to get set up on the AWS Command Line Interface (CLI) to access the AWS Management Console, introduce you to in source repositories, discuss SSH access and necessary SDKs, and more.
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
Learn how AWS IAM enables you to control who can do what in your AWS environment. We discuss how IAM provides flexible access control that helps you maintain security while adapting to your evolving business needs. Wel review how to integrate AWS IAM with your existing identity directories via identity federation. We outline some of the unique challenges that make providing IAM for the cloud a little different. And throughout the presentation, we highlight recent features that make it even easier to manage the security of your workloads on the cloud.
In this webinar, you'll learn about the foundational security blocks and how to start using them effectively to create robust and secure architectures. Discover how Identity and Access management is done and how it integrates with other AWS services. In addition, learn how to improve governance by using AWS Security Hub, AWS Config and CloudTrail to gain unprecedented visibility of activity in the account. Subsequently use AWS Config rules to rectify configuration issues quickly and effectively.
Designing security & governance via AWS Control Tower & Organizations - SEC30...Amazon Web Services
Whether it is per business unit or per application, many AWS customers use multiple accounts to meet their infrastructure isolation, separation of duties, and billing requirements. In this session, we cover considerations, limitations, and security patterns when building a multi-account strategy. We explore topics such as thought pattern, identity federation, cross-account roles, consolidated logging, and account governance. We conclude by presenting an enterprise-ready landing-zone framework and providing the background needed to implement an AWS Landing Zone using AWS Control Tower and AWS Organizations.
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
by Fritz Kunstler, Sr. Security Consultant, AWS
AWS Identity and Access Management (IAM) is first in the Security Perspective of the AWS Cloud Adoption Framework CAF because in the cloud, first you grant access and only then can you provision infrastructure (the opposite approach of on-premises). In this session, you will learn how to define fine-grained access to AWS resources via users, roles, and groups; design privileged user and multifactor authentication mechanisms; and operate IAM at scale.
This session is designed to introduce you to fundamental cloud computing and AWS security concepts that will help you prepare for the Security Week sessions, demos, and labs. We will ensure you have an AWS account and understand EC2, prepare you to get set up on the AWS Command Line Interface (CLI) to access the AWS Management Console, introduce you to in source repositories, discuss SSH access and necessary SDKs, and more.
AWS provides a range of security services and features that AWS customers can use to secure their content and applications and meet their own specific business requirements for security. This presentation focuses on how you can make use of AWS security features to meet your own organisation's security and compliance objectives.
Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...Amazon Web Services
Come learn what's new with Amazon CloudWatch, and watch as we leverage new capabilities to better monitor our systems and resources. We also walk you through the journey that BBC took in monitoring its custom off-cloud infrastructure alongside its AWS cloud resources.
by Greg McConnel, Sr. Solutions Architect, AWS
We take an in-depth look at the AWS Identity and Access Management (IAM) policy language. We start with the basics of the policy language and how to create and attach policies to IAM users, groups, and roles. As we dive deeper, we explore policy variables, conditions, and other tools to help you author least privilege policies. Throughout the session, we cover some common use cases, such as granting a user secure access to an Amazon S3 bucket and launching an Amazon EC2 instance of a specific type.
by Fritz Kunstler, Sr. AWS Security Consultant AWS
Join us for four days of security and compliance sessions and hands-on labs led by our AWS security pros during AWS Security Week at the San Francisco Loft. Join us for all four days, or pick just the days that are most relevant to you. We'll open on Monday with Security 101 day, followed by sessions Tuesday on Identity and Access Management, our popular Threat Detection and Remediation day Wednesday will feature an updated GuardDuty lab, and we'll end Thursday with Incident Response sessions, labs, and a talk by Netflix on their new open source IR tool. This week will also feature Dome9 as a sponsor, and you can hear them speak and present a hands-on workshop Monday during Security 101 day.
Whether you are a traditional enterprise exploring migrating workloads to the cloud or are already “all-in” on AWS, performing common tasks of inventory collection, OS patch management, and image creation at scale is increasingly complicated in hybrid infrastructure environments. Amazon EC2 Systems Manager allows you to perform automated configuration and ongoing management of your hybrid environment systems at scale. This session provides an overview of key EC2 Systems Manager capabilities that help you define and track system configurations, prevent drift, and maintain software compliance of your EC2 and on-premises configurations. We will also discuss common use cases for EC2 Systems Manager and give you a demonstration of a hybrid-cloud management scenario.
다시보기 영상 링크: https://youtu.be/QGgQOcA3W6w
클라우드로의 마이그레이션이 증가하면서, 퍼블릭 클라우드를 목표로 한 공격도 폭증하고 있습니다. 특히, 클라우드 관리자의 자격증명을 탈취하려는 시도나 탈취된 자격증명을 이용하여 중요정보를 유출하고 대규모로 비트코인 채굴을 시도하는 행위들이 늘어가고 있습니다. AWS로의 이관을 고려하고 있거나 사용중인 고객들이라면, 이와 같이 클라우드의 특성을 활용하여 발생하고 있는 정교한 보안 위협들에 대응하기 위한 방법을 고민하셔야 합니다. 본 세션에서는 이러한 클라우드 네이티브 위협들에 효과적으로 대응하는 기능을 제공하는 GuardDuty, Inspector, Config, SecurityHub와 같은 AWS 보안 서비스들에 대한 설명을 진행합니다.
In this session, we first cover build-out and design fundamentals for VPCs, including selecting your IP space, subnetting, routing, security, and more. We then discuss different approaches and scenarios for connecting your VPC to your data center with AWS VPN or AWS Direct Connect. Throughout this presentation, we discuss our latest networking services and updates, including AWS Transit Gateway and AWS PrivateLink. This mid-level architecture discussion is for architects, network administrators, and technology decision makers interested in understanding the building blocks that AWS makes available with Amazon VPC. Learn how to connect VPCs with your offices and data center footprint.
Moving from an on-premises environment into AWS is just the start of the journey towards cost optimisation. In this session we’ll look at a range of ways in which our customers can understand their costs and increase their return-on-investment: building the business case; selecting the right models for the right workloads; benefiting from tiered pricing aggregation; using data to drive the choice of AWS services; implementation of intelligent auto-scaling; and, where appropriate, re-platforming to make use of new architectural patterns such as Serverless.
by Fritz Kunstler, Sr. Security Consultant, AWS
AWS Organizations offers policy-based management for multiple AWS Accounts. Learn how Organizations helps you more easily manage policies for groups of accounts and automate account creation.
AWS CloudFormation is a service that helps you model and set up your Amazon Web Services resources so you can spend less time managing those resources, and more time focusing on your applications.
This slide will guide you, how to write JSON templet.
by Michael St. Onge, Global Cloud Security Architect, AWS
Join us for this hands-on lab where you will learn about the new service Amazon GuardDuty by walking through its capabilities and some real-world attack scenarios. You will need an AWS account to do the lab. This should be your own personal account and not an account through your company given the activity in the lab. AWS Credits will be provided to help cover any costs incurred in the lab. Level 300
This session is focused on diving into the AWS IAM policy categories to understand the differences, learn how the policy evaluation logic works, and go over some best practices. We will then walk through how to use permission boundaries to truly delegate administration in AWS.
Training for AWS Solutions Architect at http://zekelabs.com/courses/amazon-web-services-training-bangalore/.This slide describes about cloud watch key concepts, workflow, dashboard, metrics, cloud watch agent, alarms, events and logs.
___________________________________________________
zekeLabs is a Technology training platform. We provide instructor led corporate training and classroom training on Industry relevant Cutting Edge Technologies like Big Data, Machine Learning, Natural Language Processing, Artificial Intelligence, Data Science, Amazon Web Services, DevOps, Cloud Computing and Frameworks like Django,Spring, Ruby on Rails, Angular 2 and many more to Professionals.
Reach out to us at www.zekelabs.com or call us at +91 8095465880 or drop a mail at info@zekelabs.com
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
AWS Control Tower is a new AWS service that cloud administrators can use to set up and govern their secure, compliant, multi-account environments on AWS. In this session, we show you how Control Tower automates the creation of a secure and compliant landing zone with best-practice blueprints for a multi-account structure, identity and federated access management, a central log archive, cross-account security audits, and workflows for provisioning accounts with pre-approved configurations. We also discuss guardrails—pre-packaged governance rules created for security, operations, and compliance that you can apply enterprise-wide or to groups of accounts to enforce policies or detect violations. Finally, we show you how to easily manage and monitor all this through the Control Tower dashboard.
AWS Control Tower is a new AWS service that cloud administrators can use to set up and govern their secure, compliant, multi-account environments on AWS. In this session, we show you how Control Tower automates the creation of a secure and compliant landing zone with best-practice blueprints for a multi-account structure, identity and federated access management, a central log archive, cross-account security audits, and workflows for provisioning accounts with pre-approved configurations. We also discuss guardrails—pre-packaged governance rules created for security, operations, and compliance that you can apply enterprise-wide or to groups of accounts to enforce policies or detect violations. Finally, we show you how to easily manage and monitor all this through the Control Tower dashboard.
(HLS401) Architecting for HIPAA Compliance on AWS | AWS re:Invent 2014Amazon Web Services
This session brings together the interests of engineering, compliance, and security experts, and shows you how to align your AWS workload to the controls in the HIPAA Security Rule. You hear from customers who process and store Protected Health Information (PHI) on AWS, and you learn how they satisfied their compliance requirements while maintaining agility. This session helps security and compliance experts find out what is technically possible on AWS and learn how implementing the Technical Safeguards in the HIPAA Security Rule can be simple and familiar. We walk through the Technical Safeguards of the Security Rule and map them to AWS features and design choices to help developers, operations teams, and engineers speak the language of their security and compliance peers.
AWS provides a range of security services and features that AWS customers can use to secure their content and applications and meet their own specific business requirements for security. This presentation focuses on how you can make use of AWS security features to meet your own organisation's security and compliance objectives.
Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...Amazon Web Services
Come learn what's new with Amazon CloudWatch, and watch as we leverage new capabilities to better monitor our systems and resources. We also walk you through the journey that BBC took in monitoring its custom off-cloud infrastructure alongside its AWS cloud resources.
by Greg McConnel, Sr. Solutions Architect, AWS
We take an in-depth look at the AWS Identity and Access Management (IAM) policy language. We start with the basics of the policy language and how to create and attach policies to IAM users, groups, and roles. As we dive deeper, we explore policy variables, conditions, and other tools to help you author least privilege policies. Throughout the session, we cover some common use cases, such as granting a user secure access to an Amazon S3 bucket and launching an Amazon EC2 instance of a specific type.
by Fritz Kunstler, Sr. AWS Security Consultant AWS
Join us for four days of security and compliance sessions and hands-on labs led by our AWS security pros during AWS Security Week at the San Francisco Loft. Join us for all four days, or pick just the days that are most relevant to you. We'll open on Monday with Security 101 day, followed by sessions Tuesday on Identity and Access Management, our popular Threat Detection and Remediation day Wednesday will feature an updated GuardDuty lab, and we'll end Thursday with Incident Response sessions, labs, and a talk by Netflix on their new open source IR tool. This week will also feature Dome9 as a sponsor, and you can hear them speak and present a hands-on workshop Monday during Security 101 day.
Whether you are a traditional enterprise exploring migrating workloads to the cloud or are already “all-in” on AWS, performing common tasks of inventory collection, OS patch management, and image creation at scale is increasingly complicated in hybrid infrastructure environments. Amazon EC2 Systems Manager allows you to perform automated configuration and ongoing management of your hybrid environment systems at scale. This session provides an overview of key EC2 Systems Manager capabilities that help you define and track system configurations, prevent drift, and maintain software compliance of your EC2 and on-premises configurations. We will also discuss common use cases for EC2 Systems Manager and give you a demonstration of a hybrid-cloud management scenario.
다시보기 영상 링크: https://youtu.be/QGgQOcA3W6w
클라우드로의 마이그레이션이 증가하면서, 퍼블릭 클라우드를 목표로 한 공격도 폭증하고 있습니다. 특히, 클라우드 관리자의 자격증명을 탈취하려는 시도나 탈취된 자격증명을 이용하여 중요정보를 유출하고 대규모로 비트코인 채굴을 시도하는 행위들이 늘어가고 있습니다. AWS로의 이관을 고려하고 있거나 사용중인 고객들이라면, 이와 같이 클라우드의 특성을 활용하여 발생하고 있는 정교한 보안 위협들에 대응하기 위한 방법을 고민하셔야 합니다. 본 세션에서는 이러한 클라우드 네이티브 위협들에 효과적으로 대응하는 기능을 제공하는 GuardDuty, Inspector, Config, SecurityHub와 같은 AWS 보안 서비스들에 대한 설명을 진행합니다.
In this session, we first cover build-out and design fundamentals for VPCs, including selecting your IP space, subnetting, routing, security, and more. We then discuss different approaches and scenarios for connecting your VPC to your data center with AWS VPN or AWS Direct Connect. Throughout this presentation, we discuss our latest networking services and updates, including AWS Transit Gateway and AWS PrivateLink. This mid-level architecture discussion is for architects, network administrators, and technology decision makers interested in understanding the building blocks that AWS makes available with Amazon VPC. Learn how to connect VPCs with your offices and data center footprint.
Moving from an on-premises environment into AWS is just the start of the journey towards cost optimisation. In this session we’ll look at a range of ways in which our customers can understand their costs and increase their return-on-investment: building the business case; selecting the right models for the right workloads; benefiting from tiered pricing aggregation; using data to drive the choice of AWS services; implementation of intelligent auto-scaling; and, where appropriate, re-platforming to make use of new architectural patterns such as Serverless.
by Fritz Kunstler, Sr. Security Consultant, AWS
AWS Organizations offers policy-based management for multiple AWS Accounts. Learn how Organizations helps you more easily manage policies for groups of accounts and automate account creation.
AWS CloudFormation is a service that helps you model and set up your Amazon Web Services resources so you can spend less time managing those resources, and more time focusing on your applications.
This slide will guide you, how to write JSON templet.
by Michael St. Onge, Global Cloud Security Architect, AWS
Join us for this hands-on lab where you will learn about the new service Amazon GuardDuty by walking through its capabilities and some real-world attack scenarios. You will need an AWS account to do the lab. This should be your own personal account and not an account through your company given the activity in the lab. AWS Credits will be provided to help cover any costs incurred in the lab. Level 300
This session is focused on diving into the AWS IAM policy categories to understand the differences, learn how the policy evaluation logic works, and go over some best practices. We will then walk through how to use permission boundaries to truly delegate administration in AWS.
Training for AWS Solutions Architect at http://zekelabs.com/courses/amazon-web-services-training-bangalore/.This slide describes about cloud watch key concepts, workflow, dashboard, metrics, cloud watch agent, alarms, events and logs.
___________________________________________________
zekeLabs is a Technology training platform. We provide instructor led corporate training and classroom training on Industry relevant Cutting Edge Technologies like Big Data, Machine Learning, Natural Language Processing, Artificial Intelligence, Data Science, Amazon Web Services, DevOps, Cloud Computing and Frameworks like Django,Spring, Ruby on Rails, Angular 2 and many more to Professionals.
Reach out to us at www.zekelabs.com or call us at +91 8095465880 or drop a mail at info@zekelabs.com
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
AWS Control Tower is a new AWS service that cloud administrators can use to set up and govern their secure, compliant, multi-account environments on AWS. In this session, we show you how Control Tower automates the creation of a secure and compliant landing zone with best-practice blueprints for a multi-account structure, identity and federated access management, a central log archive, cross-account security audits, and workflows for provisioning accounts with pre-approved configurations. We also discuss guardrails—pre-packaged governance rules created for security, operations, and compliance that you can apply enterprise-wide or to groups of accounts to enforce policies or detect violations. Finally, we show you how to easily manage and monitor all this through the Control Tower dashboard.
AWS Control Tower is a new AWS service that cloud administrators can use to set up and govern their secure, compliant, multi-account environments on AWS. In this session, we show you how Control Tower automates the creation of a secure and compliant landing zone with best-practice blueprints for a multi-account structure, identity and federated access management, a central log archive, cross-account security audits, and workflows for provisioning accounts with pre-approved configurations. We also discuss guardrails—pre-packaged governance rules created for security, operations, and compliance that you can apply enterprise-wide or to groups of accounts to enforce policies or detect violations. Finally, we show you how to easily manage and monitor all this through the Control Tower dashboard.
(HLS401) Architecting for HIPAA Compliance on AWS | AWS re:Invent 2014Amazon Web Services
This session brings together the interests of engineering, compliance, and security experts, and shows you how to align your AWS workload to the controls in the HIPAA Security Rule. You hear from customers who process and store Protected Health Information (PHI) on AWS, and you learn how they satisfied their compliance requirements while maintaining agility. This session helps security and compliance experts find out what is technically possible on AWS and learn how implementing the Technical Safeguards in the HIPAA Security Rule can be simple and familiar. We walk through the Technical Safeguards of the Security Rule and map them to AWS features and design choices to help developers, operations teams, and engineers speak the language of their security and compliance peers.
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...Amazon Web Services
The Department of Defense's Secure Cloud Computing Architecture (SCCA) guidance provides DoD mission owners the security requirements for building a DoD compliant and secure application environment in the cloud. This session will review the DoD Cloud Security Requirements Guide and the DoD SCCA pillars and how they apply to AWS services. We will demonstrate how to build a DoD SCCA environment through automation and configuration management tools as well as discuss how to document security controls implementations. We will answer common questions, such as: how do we connect to a DoD Cloud Access Point? How do we implement a least privilege access control model? And how do we automate security event notifications and remediate issues? This session is designed for both technical and information assurance professionals that want to understand the process to move DoD systems into AWS, secure them, and get them accredited. Learn More: https://aws.amazon.com/government-education/
Tom Jones, Solution Architect at Amazon Web Services leads a 60-minute tour through everything you need to know to develop, deploy and operate your first secure applications and services on AWS.
AWS provides several security capabilities and services to increase privacy and control infrastructure access. Built-in firewalls allow you to create private networks within AWS, and also control network access to your instances and subnets. Identity and access management capabilities enable you to define individual user accounts with permissions across AWS resources. AWS also provides tools and features that enable you to see exactly what’s happening in your AWS environment. In this session, you will gain an understanding of preventive and detective controls at the infrastructure level on AWS. We will cover Identity and Access Management as well as the security aspects of Amazon EC2, Virtual Private Cloud (VPC), Elastic Load Balancing (ELB), and CloudTrail.
Hybrid Infrastructure Integration is an approach to connect on-premises IT resources with AWS and bridge processes, services, and technologies used in common enterprise customer environments. This session addresses connectivity patterns, security controls, account governance, and operations monitoring approaches successfully implemented in enterprise engagements. Infrastructure architects and IT professionals can get an overview of various integration types, approaches, methodologies, and common service patterns, helping them to better understand and overcome typical challenges in hybrid enterprise environments.
Hybrid Infrastructure Integration is an approach to connect on-premises IT resources with AWS and bridge processes, services, and technologies used in common enterprise customer environments. This session addresses connectivity patterns, security controls, account governance, and operations monitoring approaches successfully implemented in enterprise engagements. Infrastructure architects and IT professionals can get an overview of various integration types, approaches, methodologies, and common service patterns, helping them to better understand and overcome typical challenges in hybrid enterprise environments.
Hybrid Infrastructure Integration is an approach to connect on-premises IT resources with AWS and bridge processes, services, and technologies used in common enterprise customer environments. This session addresses connectivity patterns, security controls, account governance, and operations monitoring approaches successfully implemented in enterprise engagements. Infrastructure architects and IT professionals can get an overview of various integration types, approaches, methodologies, and common service patterns, helping them to better understand and overcome typical challenges in hybrid enterprise environments.
Deploy a DoD Secure Cloud Computing Architecture Environment in AWSAmazon Web Services
The Department of Defense's Secure Cloud Computing Architecture (SCCA) guidance provides DoD mission owners the security requirements for building a DoD compliant and secure application environment in the cloud. This session will review the DoD Cloud Security Requirements Guide and the DoD SCCA pillars and how they apply to AWS services. We will demonstrate how to build a DoD SCCA environment through automation and configuration management tools as well as discuss how to document security controls implementations. We will answer common questions, such as: how do we connect to a DoD Cloud Access Point? How do we implement a least privilege access control model? And how do we automate security event notifications and remediate issues? This session is designed for both technical and information assurance professionals that want to understand the process to move DoD systems into AWS, secure them, and get them accredited.
AWS and its partners offer a wide range of tools and features to help you to meet your security objectives. These tools mirror the familiar controls you deploy within your on-premises environments. AWS provides security-specific tools and features across network security, configuration management, access control and data security. In addition, AWS provides monitoring and logging tools to can provide full visibility into what is happening in your environment. In this session, you will get introduced to the range of security tools and features that AWS offers, and the latest security innovations coming from AWS.
In this session, learn how you evaluate, design, build, and manage distributed applications over hybrid infrastructures using Amazon Web Services. This session follows the evolution of a simple legacy data center expansion with
basic connectivity into managing complex hybrid applications. Along the way, we investigate best practice designs in use by AWS customers. Topics covered include: interconnectivity, availability, security, hybrid networks with Amazon VPC and AWS Direct Connect as well as automated provisioning with AWS CloudFormation, and configuration management with AWS OpsWorks.
Speakers:
Miha Kralj, AWS Solutions Architect
Amarpal S. Attwal, Senior Technical Lead, ICT Engineering, Just Eat
Koen van den Biggelaar, AWS Solutions Architect
Best Practices for Deploying Microsoft Workloads on AWSZlatan Dzinic
We will guide you through the best practices associated with deploying Microsoft products and services on AWS. You will find answers to common technical, licensing and supportability questions, we will also look at migrating workloads from you local datacenter (such as Exchange or Sharepoint) to AWS and how to satisfy your core requirements (AD authentication, monitoring, patching). From hybrid architectures, where the AWS cloud is an extension of your data center, to innovative DevOps centric approaches, we will cover the main use cases seen by our customers.
Developing applications on Amazon Web Services (AWS) or moving your business into the cloud is more straightforward than you think. Whether you are a developer eager to learn new skills, a solutions architect who wants to solve existing technology problems, the IT professional who wants access to cost-effective, on-demand computing resources, this slides may help you.
Amazon EC2 Demo - YouTube Recording: http://www.youtube.com/watch?v=kMExnVKhmYc&feature=youtu.be
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...Amazon Web Services
Windows workloads are often the backbone of the data center and AWS Consulting Partners are responsible for the design, deployment, maintenance, and operation of these infrastructures. Deploying and operating a common set of management tooling is challenging and becomes even harder as you try to onboard new customers at scale. In this session, we discuss patterns for deploying a common shared infrastructure to host your management and backend assets. We dive deep on various components of the windows toolkit like core VPC, Active Directory, management tools, and finally a development pipeline. You walk away knowing how to design and deliver a common toolset so that you scale out instantly to any new customer workload.
AWS Public Sector Symposium 2014 Canberra | Security as an Enabler: Improving...Amazon Web Services
The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. In this session, we’ll provide a practical understanding of the assurance programs that AWS provides; such as HIPAA, FedRAMP(SM), PCI DSS Level 1, MPAA, and many others. We’ll also address the types of business solutions that these certifications enable you to deploy on the AWS Cloud, as well as the tools and services AWS makes available to customers to secure and manage their resources.
We will guide you through the best practices associated with Microsoft products and services on AWS. You will discover how to address the questions (technical, licensing, pricing) associated with migrating existing platforms (such as Exchange or Sharepoint) and satisfy your core the requirements (AD authentication, monitoring, patching). From hybrid architectures, where the AWS cloud as an extension of your data center, to innovative DevOps centric approaches, we will cover the main use cases seen by our customers.
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
Il Forecasting è un processo importante per tantissime aziende e viene utilizzato in vari ambiti per cercare di prevedere in modo accurato la crescita e distribuzione di un prodotto, l’utilizzo delle risorse necessarie nelle linee produttive, presentazioni finanziarie e tanto altro. Amazon utilizza delle tecniche avanzate di forecasting, in parte questi servizi sono stati messi a disposizione di tutti i clienti AWS.
In questa sessione illustreremo come pre-processare i dati che contengono una componente temporale e successivamente utilizzare un algoritmo che a partire dal tipo di dato analizzato produce un forecasting accurato.
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
La varietà e la quantità di dati che si crea ogni giorno accelera sempre più velocemente e rappresenta una opportunità irripetibile per innovare e creare nuove startup.
Tuttavia gestire grandi quantità di dati può apparire complesso: creare cluster Big Data su larga scala sembra essere un investimento accessibile solo ad aziende consolidate. Ma l’elasticità del Cloud e, in particolare, i servizi Serverless ci permettono di rompere questi limiti.
Vediamo quindi come è possibile sviluppare applicazioni Big Data rapidamente, senza preoccuparci dell’infrastruttura, ma dedicando tutte le risorse allo sviluppo delle nostre le nostre idee per creare prodotti innovativi.
Ora puoi utilizzare Amazon Elastic Kubernetes Service (EKS) per eseguire pod Kubernetes su AWS Fargate, il motore di elaborazione serverless creato per container su AWS. Questo rende più semplice che mai costruire ed eseguire le tue applicazioni Kubernetes nel cloud AWS.In questa sessione presenteremo le caratteristiche principali del servizio e come distribuire la tua applicazione in pochi passaggi
Vent'anni fa Amazon ha attraversato una trasformazione radicale con l'obiettivo di aumentare il ritmo dell'innovazione. In questo periodo abbiamo imparato come cambiare il nostro approccio allo sviluppo delle applicazioni ci ha permesso di aumentare notevolmente l'agilità, la velocità di rilascio e, in definitiva, ci ha consentito di creare applicazioni più affidabili e scalabili. In questa sessione illustreremo come definiamo le applicazioni moderne e come la creazione di app moderne influisce non solo sull'architettura dell'applicazione, ma sulla struttura organizzativa, sulle pipeline di rilascio dello sviluppo e persino sul modello operativo. Descriveremo anche approcci comuni alla modernizzazione, compreso l'approccio utilizzato dalla stessa Amazon.com.
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
L’utilizzo dei container è in continua crescita.
Se correttamente disegnate, le applicazioni basate su Container sono molto spesso stateless e flessibili.
I servizi AWS ECS, EKS e Kubernetes su EC2 possono sfruttare le istanze Spot, portando ad un risparmio medio del 70% rispetto alle istanze On Demand. In questa sessione scopriremo insieme quali sono le caratteristiche delle istanze Spot e come possono essere utilizzate facilmente su AWS. Impareremo inoltre come Spreaker sfrutta le istanze spot per eseguire applicazioni di diverso tipo, in produzione, ad una frazione del costo on-demand!
In recent months, many customers have been asking us the question – how to monetise Open APIs, simplify Fintech integrations and accelerate adoption of various Open Banking business models. Therefore, AWS and FinConecta would like to invite you to Open Finance marketplace presentation on October 20th.
Event Agenda :
Open banking so far (short recap)
• PSD2, OB UK, OB Australia, OB LATAM, OB Israel
Intro to Open Finance marketplace
• Scope
• Features
• Tech overview and Demo
The role of the Cloud
The Future of APIs
• Complying with regulation
• Monetizing data / APIs
• Business models
• Time to market
One platform for all: a Strategic approach
Q&A
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
Per creare valore e costruire una propria offerta differenziante e riconoscibile, le startup di successo sanno come combinare tecnologie consolidate con componenti innovativi creati ad hoc.
AWS fornisce servizi pronti all'utilizzo e, allo stesso tempo, permette di personalizzare e creare gli elementi differenzianti della propria offerta.
Concentrandoci sulle tecnologie di Machine Learning, vedremo come selezionare i servizi di intelligenza artificiale offerti da AWS e, anche attraverso una demo, come costruire modelli di Machine Learning personalizzati utilizzando SageMaker Studio.
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
Con l'approccio tradizionale al mondo IT per molti anni è stato difficile implementare tecniche di DevOps, che finora spesso hanno previsto attività manuali portando di tanto in tanto a dei downtime degli applicativi interrompendo l'operatività dell'utente. Con l'avvento del cloud, le tecniche di DevOps sono ormai a portata di tutti a basso costo per qualsiasi genere di workload, garantendo maggiore affidabilità del sistema e risultando in dei significativi miglioramenti della business continuity.
AWS mette a disposizione AWS OpsWork come strumento di Configuration Management che mira ad automatizzare e semplificare la gestione e i deployment delle istanze EC2 per mezzo di workload Chef e Puppet.
Scopri come sfruttare AWS OpsWork a garanzia e affidabilità del tuo applicativo installato su Instanze EC2.
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
Vuoi conoscere le opzioni per eseguire Microsoft Active Directory su AWS? Quando si spostano carichi di lavoro Microsoft in AWS, è importante considerare come distribuire Microsoft Active Directory per supportare la gestione, l'autenticazione e l'autorizzazione dei criteri di gruppo. In questa sessione, discuteremo le opzioni per la distribuzione di Microsoft Active Directory su AWS, incluso AWS Directory Service per Microsoft Active Directory e la distribuzione di Active Directory su Windows su Amazon Elastic Compute Cloud (Amazon EC2). Trattiamo argomenti quali l'integrazione del tuo ambiente Microsoft Active Directory locale nel cloud e l'utilizzo di applicazioni SaaS, come Office 365, con AWS Single Sign-On.
Dal riconoscimento facciale al riconoscimento di frodi o difetti di fabbricazione, l'analisi di immagini e video che sfruttano tecniche di intelligenza artificiale, si stanno evolvendo e raffinando a ritmi elevati. In questo webinar esploreremo le possibilità messe a disposizione dai servizi AWS per applicare lo stato dell'arte delle tecniche di computer vision a scenari reali.
Amazon Web Services e VMware organizzano un evento virtuale gratuito il prossimo mercoledì 14 Ottobre dalle 12:00 alle 13:00 dedicato a VMware Cloud ™ on AWS, il servizio on demand che consente di eseguire applicazioni in ambienti cloud basati su VMware vSphere® e di accedere ad una vasta gamma di servizi AWS, sfruttando a pieno le potenzialità del cloud AWS e tutelando gli investimenti VMware esistenti.
Molte organizzazioni sfruttano i vantaggi del cloud migrando i propri carichi di lavoro Oracle e assicurandosi notevoli vantaggi in termini di agilità ed efficienza dei costi.
La migrazione di questi carichi di lavoro, può creare complessità durante la modernizzazione e il refactoring delle applicazioni e a questo si possono aggiungere rischi di prestazione che possono essere introdotti quando si spostano le applicazioni dai data center locali.
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
Molte aziende oggi, costruiscono applicazioni con funzionalità di tipo ledger ad esempio per verificare lo storico di accrediti o addebiti nelle transazioni bancarie o ancora per tenere traccia del flusso supply chain dei propri prodotti.
Alla base di queste soluzioni ci sono i database ledger che permettono di avere un log delle transazioni trasparente, immutabile e crittograficamente verificabile, ma sono strumenti complessi e onerosi da gestire.
Amazon QLDB elimina la necessità di costruire sistemi personalizzati e complessi fornendo un database ledger serverless completamente gestito.
In questa sessione scopriremo come realizzare un'applicazione serverless completa che utilizzi le funzionalità di QLDB.
Con l’ascesa delle architetture di microservizi e delle ricche applicazioni mobili e Web, le API sono più importanti che mai per offrire agli utenti finali una user experience eccezionale. In questa sessione impareremo come affrontare le moderne sfide di progettazione delle API con GraphQL, un linguaggio di query API open source utilizzato da Facebook, Amazon e altro e come utilizzare AWS AppSync, un servizio GraphQL serverless gestito su AWS. Approfondiremo diversi scenari, comprendendo come AppSync può aiutare a risolvere questi casi d’uso creando API moderne con funzionalità di aggiornamento dati in tempo reale e offline.
Inoltre, impareremo come Sky Italia utilizza AWS AppSync per fornire aggiornamenti sportivi in tempo reale agli utenti del proprio portale web.
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
Molte organizzazioni sfruttano i vantaggi del cloud migrando i propri carichi di lavoro Oracle e assicurandosi notevoli vantaggi in termini di agilità ed efficienza dei costi.
La migrazione di questi carichi di lavoro, può creare complessità durante la modernizzazione e il refactoring delle applicazioni e a questo si possono aggiungere rischi di prestazione che possono essere introdotti quando si spostano le applicazioni dai data center locali.
In queste slide, gli esperti AWS e VMware presentano semplici e pratici accorgimenti per facilitare e semplificare la migrazione dei carichi di lavoro Oracle accelerando la trasformazione verso il cloud, approfondiranno l’architettura e dimostreranno come sfruttare a pieno le potenzialità di VMware Cloud ™ on AWS.
Amazon Elastic Container Service (Amazon ECS) è un servizio di gestione dei container altamente scalabile, che semplifica la gestione dei contenitori Docker attraverso un layer di orchestrazione per il controllo del deployment e del relativo lifecycle. In questa sessione presenteremo le principali caratteristiche del servizio, le architetture di riferimento per i differenti carichi di lavoro e i semplici passi necessari per poter velocemente migrare uno o più dei tuo container.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
AWS Security Best Practices and Design Patterns
1. AWS Security Best Practices &
Design Patterns
Bill Shinn
Principal Security Solutions Architect
2. 1. Network Security Best Practices
2. Security Design Patterns
3. Reducing the Use of Long-term, Privileged Credentials
3. 1. Network Security Best Practices
2. Security Design Patterns
3. Reducing the Use of Long-term, Privileged Credentials
4. AWS lets customers choose where their content goes
Region
US-WEST (N. California) EU-WEST (Ireland)
ASIA PAC
(Tokyo)
ASIA PAC
(Singapore)
US-WEST (Oregon)
US-EAST (Virginia)
SOUTH AMERICA (Sao
Paulo)
GOV CLOUD
ASIA PAC
(Sydney)
5. Take advantage of high availability in every Region
Availability Zone
US-WEST (N. California) EU-WEST (Ireland)
ASIA PAC
(Tokyo)
ASIA PAC (Bejing)
ASIA PAC
(Singapore)
US-WEST (Oregon)
US-EAST (Virginia)
SOUTH AMERICA (Sao
Paulo)
GOV CLOUD
ASIA PAC
(Sydney)
6. Use edge locations to serve content close to your customers
Edge Locations
Seattle
Los Angeles (2) Jacksonville
Dallas(2)
St.Louis
Miami
Palo Alto
London(2)
Ashburn(2)
Newark
New York (2)
Dublin
Amsterdam
Stockholm
Frankfurt(2)
Paris(2)
Singapore(2)
Tokyo
Hong Kong
Sao Paulo
South Bend
San Jose
Osaka
Milan
Sydney
Mumbai
Chennai
7. Amazon EC2 Instance Isolation
Customer 1
Customer 2 Customer n …
Physical Interfaces
Hypervisor
Virtual Interfaces
…
Firewall
Customer 1
Security Groups
Customer 2
Security Groups
Customer n
Security Groups
8. Web Tier
Application Tier
Database Tier
Only specific ports
open to the Internet
Staff can limit app tier
access to a
bastion/management tier
Sync with on-premises
All other Internet ports
blocked by default
database
Amazon EC2
Security Group
Firewall
VPC Security Groups
12. DB Tier App Tier Web Tier Protect Tier
Route Table
IAM
NACL
Internet
Gateway
VPN
Internet
Existing
Perimeter
Security
Stack
Corporate
Data center
VPN
AWS
DX CGW
Network Protection
13. DB Tier App Tier Web Tier Protect Tier
IAM
Internet
Gateway
VPN
Internet
Existing
Perimeter
Security
Stack
Corporate
Data center
VPN
AWS
DX CGW
Instance
Auto Scaling
Host Security
Software
SSH Keys
Managed
Encryption
AMIs
Bastion Host Bootstrapping
CloudFront
Load Distro
Penetration
Testing
Instance Protection
14. DB Tier App Tier Web Tier Protect Tier
IAM
Internet
Gateway
VP
N
Internet
Existing
Perimeter
Security
Stack
Corporate
Data center
VPN
AWS
DX CGW
Database
Oracle TDE
MySQL, MS-SQL
SSL
Oracle NNE
Redshfit
Cluster
Encryption
RDS Auto
Minor Patching
SQL SSL
Clients
DynamoDB,
SimpleDB SSL
EMR Job Flow
Roles
Database Protection
15. DB App Web Protect
In-line Threat Management:
Bastion Host
Protect Tier Bastion
16. DB App Web Protect
In-line Threat Management:
IPS/IDS NAT HA
EIP
1
EIP
2
IPS NAT Layer
EIP
3
EIP
4
App Layer
IPS NAT Layer
App Layer
Availability Zone A Availability Zone B
17. DB Tier App Tier Web Tier Protect Tier
IAM
S3
CloudFront
Route Table
NACL
Internet
Gateway
Internet
Existing
Perimeter
Security
Stack
VPN Corporate
Data center
VPN
AWS
DX CGW
18. End Users/Students/Researchers Internet
VPC CIDR 10.10.0.0/16
Gateway
AZ A AZ B
VPC Public Subnet 10.10.1.0/24 VPC Public Subnet 10.10.2.0/24
Public ELB
Autoscaling
Web Tier
Internal ELB
Autoscaling
Application Tier
VPC Private Subnet 10.10.3.0/24 VPC Private Subnet 10.10.4.0/24
RDS
Master
RDS
Standby
Snapshots
VPC Private Subnet 10.10.5.0/24 VPC Private Subnet 10.10.6.0/24
Web App Hosting
in VPC
Multi-AZ RDS
Data Tier
Existing
Datacenter
VPN Connection
Virtual
Private
Gateway
Customer
Gateway
Or
Direct Connect
Network
Partner
Location
Administrators &
Campus Users
Static/
Streaming
Content
CloudFront
S3
19. Internet
Route 53 Gateway
AZ A AZ B
SG: ELBSecurityGroup
VPC Public Subnet 10.40.1.0/24 Public ELB in
VPC Public Subnet 10.40.2.0/24
TCP mode w/ Proxy Protocol
SG:
HAProxySecurityGroup
HAProxy tier – if needed, session state
managed via client-side cookie inserted by
HAProxy. HAProxy nodes route to web server
where user session exists, regardless of
which HAProxy instance ELB directs client to.
SSL termination/re-encryption. Keys stored in
S3, retrieved by CloudFormation at system
launch using entitlements of IAM role for EC2.
Support for Proxy Protocol, x-forwarded-for,
and JSESSION cookie (appsession) for sticky
sessions via hashtable if needed.
HAProxy/
Public
SSL
HAProxy/P
ublic SSL
HAProxy/P
ublic SSL
HAProxy/P
ublic SSL
VPC Private Subnet 10.40.3.0/24 VPC Private Subnet 10.40.4.0/24
Tomcat/P
rivate
SSL
Tomcat/P
rivate
SSL
Tomcat/P
rivate
SSL
Tomcat/P
rivate
SSL
SG: WebSecurityGroup
HAProxy tier performs backend encryption
between HAProxy nodes and Tomcat nodes.
Keys stored in S3, retrieved by
CloudFormation at system launch using
entitlements of IAM role for EC2.
VPC Private Subnet 10.40.5.0/24 VPC Private Subnet 10.40.6.0/24
20. Internet
Route 53 Gateway
AZ A AZ B
SG: HAProxySecurityGroup
HAProxy tier – if needed, session state
managed via client-side cookie inserted by
HAProxy. HAProxy nodes route to web server
where user session exists, regardless of
which HAProxy instance ELB directs client to.
SSL termination/re-encryption. Keys stored in
S3, retrieved by CloudFormation at system
launch using entitlements of IAM role for EC2.
Support for Proxy Protocol, x-forwarded-for,
and JSESSION cookie (appsession) for sticky
sessions via hashtable if needed.
HAProxy/
Public
SSL
HAProxy/P
ublic SSL
HAProxy/P
ublic SSL
HAProxy/P
ublic SSL
VPC Public Subnet 10.40.3.0/24 VPC Public Subnet 10.40.4.0/24
Tomcat/P
rivate
SSL
Tomcat/P
rivate
SSL
Tomcat/P
rivate
SSL
Tomcat/P
rivate
SSL
SG: WebSecurityGroup
HAProxy tier performs backend encryption
between HAProxy nodes and Tomcat nodes.
Keys stored in S3, retrieved by
CloudFormation at system launch using
entitlements of IAM role for EC2.
VPC Private Subnet 10.40.5.0/24 VPC Private Subnet 10.40.6.0/24
21. VPC Best Practices
Leverage existing governance
• Address space allocation
• Internet access policies
• Management of routing protocol and route advertisements
IAM policies for VPC actions
• Separation of duties
• Authentication & authorization enforcement
Network Filtering
• Use security groups for stateful network packet filtering
• Use stateless network ACLs for separation of duties and coarse-grained
management
Connecting VPCs
• Hub and Spoke using Direct Connect
• VPN Hub and Spoke
• VPC Peering
22. EC2 Resource Permissions
Assign permissions to EC2 Resources
Instance
Snapshot
Volume
Combine with existing permissions and policies based on EC2 Actions
to create extremely fine-grained polices for managing AWS resources.
Leverage Tagging and attribute-driven conditions
Tags such as “Production” or “AppName”
Overlay organizational structure such as cost centers or departments
Require dedicated tenancy as a condition
Additional EC2 resources and conditions added through 2014.
23. 1. Network Security Best Practices
2. Security Design Patterns
3. Reducing the Use of Long-term, Privileged Credentials
24. Agile Network Architecture
Update and change private network
addressing, subnets, route tables and
administrative control of network functions
to move systems and applications in
response to vulnerabilities, regulatory
changes, project partnerships, etc.
Security
Groups
Use named security groups to logically
control access between systems of like
trust or based on data classification.
Security attributes of system move with
the system independent of network
location. Relocate systems via API call to
address changing threat environment.
Amazon VPC
+
25. Non-Persistent Platforms
Auto-scaling groups will ensure that
capacity is predictable while you rotate
out portions of the environment. You can
also swap out the base AMI in an auto-scaling
launch configuration with a freshly
patched one, then progressively kill off
stale instances.
Changing the paradigm of what a target
or attack surface looks like. Automation
around Amazon Machine Image creation
and bootstrapping with tools like AWS
OpsWorks, Amazon Elastic Beanstalk,
Chef or Puppet means you can constantly
lay down a moving target.
Amazon Auto-scaling
Groups
AWS Elastic
Compute Cloud
+
26. Standardized Environments & Change Detection
AWS SDKs
Interrogate and describe entire
environment with Java, Python, .NET,
Ruby, PHP or other SDKs. Detect change
in standardized environment
programmatically and integrate with
existing asset and SIEM workflows.
Use CloudFormation to create an
environment that mirrors your security
standards. One API call results in
hardened AMIs with base security
controls installed, predictable firewall and
network configuration, and appropriately
defined access and roles.
+
AWS
CloudFormation
27. Instance Identity
Security token service generates unique
credentials and constantly rotates an
additional token.
Identity and Access Management roles for
EC2 instances provide entitlements to the
instance itself. Credentials are presented
through a RESTful meta-data service
accessible only on the local host.
Credentials can be leveraged by apps
that need to call AWS APIs, retrieve data
from S3, etc. Native integration with SDKs
and CLI tools.
Security Token Service
+
Identity
Management
28. Consolidated API Logging
Log archival solution for life-cycle
management.
CloudTrail provides increased visibility
into your user activity by recording AWS
API calls. Integration with Amazon SNS
and ecosystem partners facilitates
analytics.
Provides logging up and down the stack
in one place (storage, networking,
instances, identity).
Amazon S3 + Glacier
+
AWS CloudTrail
Editor's Notes
And just like an electricity grid, where you would not wire every factory to the same power station, the AWS infrastructure is global, with multiple regions around the globe from which services are available. This means you have control over things like where you applications run, where you data is stored, and where best to serve your customers from.
Each AWS region is also split into Availability Zones, making highly available applications possible from within a region.
Now over 50 cloudfront edge locations.
And the whole footprint is supported by many edge locations, places from which content can be served to your customers for the fast possible response times.